Scan a Single Amazon S3 Account

Before you can scan an Amazon S3 app, you must configure AWS IAM policy, user, role, and (optional) an S3 bucket in which CloudTrail will log events that occur in your Amazon S3 buckets.
To configure the Amazon S3 app to scan a single AWS account:
  1. Log in to your AWS Console aws.amazon.com.
  2. Select
    Services
    Security, Identity & Compliance
    IAM
    .
  3. Configure the Prisma SaaS policy used to connect to the Amazon S3 app.
    1. Select
      Policies
      Create policy
      and then select
      Create Your Own Policy
      .
    2. Enter the
      Policy Name
      as
      prisma-saas-s3-policy
      and provide an optional description of the policy.
    3. Copy and paste the following configuration into the
      Policy Document
      section:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ] }
    4. Click
      Create Policy
      .
  4. Configure the account Prisma SaaS will use to access the Amazon S3 logs:
    1. Select
      Users
      Add user
      .
    2. Enter the user name as
      prisma-saas-s3-user
      .
    3. To generate an access key ID and secret access key for Prisma SaaS to use to access the Amazon S3 service, enable Programmatic access.
    4. Select
      Next: Permissions
      .
    5. Select Attach existing policies directly.
    6. Search for and select the check box next to the prisma-saas-s3-policy you created in the previous step.
    7. Click
      Next: Review
      Create User
      .
      amazon-aws-create-user.png
      Note your
      Access key ID
      and
      Secret access key
      .
    8. Click
      Close
      .
  5. If you have not already done so, configure CloudTrail logging. This enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
    1. To copy your AWS account ID into memory, click your username at the top right and copy the Account number. You will need your account number later in this procedure.
    2. Select
      Services
      Management Tools
      CloudTrail
      Trails
      Add new trail
      .
    3. Enter the Trail name
      prisma-saas-s3-trail
      .
    4. Set
      Apply trail to all Regions
      to
      Yes
      .
    5. In the
      Data events
      area, enter the name of each bucket that you want Prisma SaaS to scan. You can also choose
      Select all S3 buckets in your account
      to enable Prisma SaaS to scan all of your S3 buckets. The interface offers auto-completion as you type. Repeat the process to select additional buckets.
    6. To create a bucket in which CloudTrail will store management and data event logs, enter the
      S3 bucket
      name as
      prisma-saas-s3-
      <AWS account ID>
      in the
      Storage location
      area.
      Take note of the S3 bucket (CloudTrail bucket name) and region.
    7. Click
      Create
      .

Recommended For You